GHSA-rjhf-4mh8-9xjq: Zerocopy: Some Ref methods are unsound with some type parameters

December 18, 2023 (updated February 12, 2024)

The Ref methods into_ref, into_mut, into_slice, and into_slice_mut are unsound and may allow safe code to exhibit undefined behavior when used with Ref<B, T> where B is cell::Ref or cell::RefMut. Note that these methods remain sound when used with B types other than cell::Ref or cell::RefMut.

See https://github.com/google/zerocopy/issues/716 for a more in-depth analysis.

The current plan is to yank the affected versions soon. See https://github.com/google/zerocopy/issues/679 for more detail.

References

github.com/advisories/GHSA-rjhf-4mh8-9xjq
github.com/google/zerocopy
github.com/google/zerocopy/issues/679
github.com/google/zerocopy/issues/71
github.com/google/zerocopy/issues/716
rustsec.org/advisories/RUSTSEC-2023-0074.html

Code Behaviors & Features

Detect and mitigate GHSA-rjhf-4mh8-9xjq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →